diff options
author | Evgeny Grin (Karlson2k) <k2k@narod.ru> | 2022-07-20 17:16:58 +0300 |
---|---|---|
committer | Evgeny Grin (Karlson2k) <k2k@narod.ru> | 2022-07-21 15:07:07 +0300 |
commit | 69aec9dc33b71c782075a263f1484945f399078f (patch) | |
tree | 029c10a8330435cdd8b891f1960f17830bf370a6 | |
parent | b528bec9c1a9332c49813d8e3df7dcc0eb7b63db (diff) | |
download | libmicrohttpd-69aec9dc33b71c782075a263f1484945f399078f.tar.gz libmicrohttpd-69aec9dc33b71c782075a263f1484945f399078f.zip |
digest_auth_check(): updated the order of parameters check
If more than one parameter is wrong, then the first checked wrong
parameter will be reported, so check the most important parameters
first.
-rw-r--r-- | src/microhttpd/digestauth.c | 82 |
1 files changed, 43 insertions, 39 deletions
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c index 6bb2aa22..46c47eda 100644 --- a/src/microhttpd/digestauth.c +++ b/src/microhttpd/digestauth.c | |||
@@ -1937,6 +1937,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection, | |||
1937 | return MHD_DAUTH_WRONG_HEADER; | 1937 | return MHD_DAUTH_WRONG_HEADER; |
1938 | 1938 | ||
1939 | /* ** A quick check for presence of all required parameters ** */ | 1939 | /* ** A quick check for presence of all required parameters ** */ |
1940 | |||
1940 | if ((NULL == params->username.value.str) && | 1941 | if ((NULL == params->username.value.str) && |
1941 | (NULL == params->username_ext.value.str)) | 1942 | (NULL == params->username_ext.value.str)) |
1942 | return MHD_DAUTH_WRONG_HEADER; | 1943 | return MHD_DAUTH_WRONG_HEADER; |
@@ -1950,13 +1951,6 @@ digest_auth_check_all_inner (struct MHD_Connection *connection, | |||
1950 | if (NULL == params->realm.value.str) | 1951 | if (NULL == params->realm.value.str) |
1951 | return MHD_DAUTH_WRONG_HEADER; | 1952 | return MHD_DAUTH_WRONG_HEADER; |
1952 | 1953 | ||
1953 | if (NULL == params->nonce.value.str) | ||
1954 | return MHD_DAUTH_WRONG_HEADER; | ||
1955 | else if (0 == params->nonce.value.len) | ||
1956 | return MHD_DAUTH_NONCE_WRONG; | ||
1957 | else if (NONCE_STD_LEN (digest_size) * 2 < params->nonce.value.len) | ||
1958 | return MHD_DAUTH_NONCE_WRONG; | ||
1959 | |||
1960 | if (NULL == params->nc.value.str) | 1954 | if (NULL == params->nc.value.str) |
1961 | return MHD_DAUTH_WRONG_HEADER; | 1955 | return MHD_DAUTH_WRONG_HEADER; |
1962 | else if (0 == params->nc.value.len) | 1956 | else if (0 == params->nc.value.len) |
@@ -1978,13 +1972,6 @@ digest_auth_check_all_inner (struct MHD_Connection *connection, | |||
1978 | else if (MHD_STATICSTR_LEN_ ("auth-int") * 2 < params->qop.value.len) | 1972 | else if (MHD_STATICSTR_LEN_ ("auth-int") * 2 < params->qop.value.len) |
1979 | return MHD_DAUTH_WRONG_QOP; | 1973 | return MHD_DAUTH_WRONG_QOP; |
1980 | 1974 | ||
1981 | if (NULL == params->response.value.str) | ||
1982 | return MHD_DAUTH_WRONG_HEADER; | ||
1983 | else if (0 == params->response.value.len) | ||
1984 | return MHD_DAUTH_RESPONSE_WRONG; | ||
1985 | else if (digest_size * 4 < params->response.value.len) | ||
1986 | return MHD_DAUTH_RESPONSE_WRONG; | ||
1987 | |||
1988 | if (NULL == params->uri.value.str) | 1975 | if (NULL == params->uri.value.str) |
1989 | return MHD_DAUTH_WRONG_HEADER; | 1976 | return MHD_DAUTH_WRONG_HEADER; |
1990 | else if (0 == params->uri.value.len) | 1977 | else if (0 == params->uri.value.len) |
@@ -1992,8 +1979,47 @@ digest_auth_check_all_inner (struct MHD_Connection *connection, | |||
1992 | else if (_MHD_AUTH_DIGEST_MAX_PARAM_SIZE < params->uri.value.len) | 1979 | else if (_MHD_AUTH_DIGEST_MAX_PARAM_SIZE < params->uri.value.len) |
1993 | return MHD_DAUTH_TOO_LARGE; | 1980 | return MHD_DAUTH_TOO_LARGE; |
1994 | 1981 | ||
1982 | if (NULL == params->nonce.value.str) | ||
1983 | return MHD_DAUTH_WRONG_HEADER; | ||
1984 | else if (0 == params->nonce.value.len) | ||
1985 | return MHD_DAUTH_NONCE_WRONG; | ||
1986 | else if (NONCE_STD_LEN (digest_size) * 2 < params->nonce.value.len) | ||
1987 | return MHD_DAUTH_NONCE_WRONG; | ||
1988 | |||
1989 | if (NULL == params->response.value.str) | ||
1990 | return MHD_DAUTH_WRONG_HEADER; | ||
1991 | else if (0 == params->response.value.len) | ||
1992 | return MHD_DAUTH_RESPONSE_WRONG; | ||
1993 | else if (digest_size * 4 < params->response.value.len) | ||
1994 | return MHD_DAUTH_RESPONSE_WRONG; | ||
1995 | |||
1995 | /* ** Check simple parameters match ** */ | 1996 | /* ** Check simple parameters match ** */ |
1996 | 1997 | ||
1998 | /* Check 'algorithm' */ | ||
1999 | if (1) | ||
2000 | { | ||
2001 | const enum MHD_DigestAuthAlgo3 r_algo = get_rq_algo (params); | ||
2002 | const enum MHD_DigestBaseAlgo p_algo = da->algo; | ||
2003 | if ( (! ((MHD_DIGEST_AUTH_ALGO3_MD5 == r_algo) && | ||
2004 | (MHD_DIGEST_BASE_ALGO_MD5 == p_algo))) && | ||
2005 | (! ((MHD_DIGEST_AUTH_ALGO3_SHA256 == r_algo) && | ||
2006 | (MHD_DIGEST_BASE_ALGO_SHA256 == p_algo))) ) | ||
2007 | return MHD_DAUTH_WRONG_ALGO; | ||
2008 | } | ||
2009 | /* 'algorithm' valid */ | ||
2010 | |||
2011 | /* Check 'qop' */ | ||
2012 | /* TODO: support MHD_DIGEST_AUTH_QOP_NONE and MHD_DIGEST_AUTH_QOP_AUTH_INT */ | ||
2013 | if (MHD_DIGEST_AUTH_QOP_AUTH != get_rq_qop (params)) | ||
2014 | return MHD_DAUTH_WRONG_QOP; | ||
2015 | /* 'qop' valid */ | ||
2016 | |||
2017 | /* Check 'realm' */ | ||
2018 | realm_len = strlen (realm); | ||
2019 | if (! is_param_equal (¶ms->realm, realm, realm_len)) | ||
2020 | return MHD_DAUTH_WRONG_REALM; | ||
2021 | /* 'realm' valid */ | ||
2022 | |||
1997 | /* Check 'username' */ | 2023 | /* Check 'username' */ |
1998 | username_len = strlen (username); | 2024 | username_len = strlen (username); |
1999 | if (NULL != params->username.value.str) | 2025 | if (NULL != params->username.value.str) |
@@ -2026,32 +2052,8 @@ digest_auth_check_all_inner (struct MHD_Connection *connection, | |||
2026 | } | 2052 | } |
2027 | /* 'username' valid */ | 2053 | /* 'username' valid */ |
2028 | 2054 | ||
2029 | /* Check 'realm' */ | ||
2030 | realm_len = strlen (realm); | ||
2031 | if (! is_param_equal (¶ms->realm, realm, realm_len)) | ||
2032 | return MHD_DAUTH_WRONG_REALM; | ||
2033 | /* 'realm' valid */ | ||
2034 | |||
2035 | /* Check 'qop' */ | ||
2036 | /* TODO: support MHD_DIGEST_AUTH_QOP_NONE and MHD_DIGEST_AUTH_QOP_AUTH_INT */ | ||
2037 | if (MHD_DIGEST_AUTH_QOP_AUTH != get_rq_qop (params)) | ||
2038 | return MHD_DAUTH_WRONG_QOP; | ||
2039 | /* 'qop' valid */ | ||
2040 | |||
2041 | /* Check 'algorithm' */ | ||
2042 | if (1) | ||
2043 | { | ||
2044 | const enum MHD_DigestAuthAlgo3 r_algo = get_rq_algo (params); | ||
2045 | const enum MHD_DigestBaseAlgo p_algo = da->algo; | ||
2046 | if ( (! ((MHD_DIGEST_AUTH_ALGO3_MD5 == r_algo) && | ||
2047 | (MHD_DIGEST_BASE_ALGO_MD5 == p_algo))) && | ||
2048 | (! ((MHD_DIGEST_AUTH_ALGO3_SHA256 == r_algo) && | ||
2049 | (MHD_DIGEST_BASE_ALGO_SHA256 == p_algo))) ) | ||
2050 | return MHD_DAUTH_WRONG_ALGO; | ||
2051 | } | ||
2052 | /* 'algorithm' valid */ | ||
2053 | |||
2054 | /* ** Do basic nonce and nonce-counter checks (size, timestamp) ** */ | 2055 | /* ** Do basic nonce and nonce-counter checks (size, timestamp) ** */ |
2056 | |||
2055 | /* Get 'nc' digital value */ | 2057 | /* Get 'nc' digital value */ |
2056 | unq_res = get_unquoted_param (¶ms->nc, tmp1, ptmp2, &tmp2_size, | 2058 | unq_res = get_unquoted_param (¶ms->nc, tmp1, ptmp2, &tmp2_size, |
2057 | &unquoted); | 2059 | &unquoted); |
@@ -2137,6 +2139,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection, | |||
2137 | not used before */ | 2139 | not used before */ |
2138 | 2140 | ||
2139 | /* ** Build H(A2) and check URI match in the header and in the request ** */ | 2141 | /* ** Build H(A2) and check URI match in the header and in the request ** */ |
2142 | |||
2140 | /* Get 'uri' */ | 2143 | /* Get 'uri' */ |
2141 | digest_init (da); | 2144 | digest_init (da); |
2142 | digest_update_str (da, connection->method); | 2145 | digest_update_str (da, connection->method); |
@@ -2173,6 +2176,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection, | |||
2173 | /* Got H(A1) */ | 2176 | /* Got H(A1) */ |
2174 | 2177 | ||
2175 | /* ** Check 'response' ** */ | 2178 | /* ** Check 'response' ** */ |
2179 | |||
2176 | digest_init (da); | 2180 | digest_init (da); |
2177 | /* Update digest with H(A1) */ | 2181 | /* Update digest with H(A1) */ |
2178 | mhd_assert (sizeof (tmp1) >= (digest_size * 2 + 1)); | 2182 | mhd_assert (sizeof (tmp1) >= (digest_size * 2 + 1)); |